Created attachment 321374 [details] tests and denials Description of problem: The "service netfs restart" command fails if "/etc/fstab" has context mounts. Context mounts specified in "/etc/fstab" fail to mount. Version-Release number of selected component (if applicable): initscripts-8.84-1.i386 rpcbind-0.1.6-2.fc10.i386 nfs-utils-lib-1.1.4-1.fc10.i386 nfs-utils-1.1.4-1.fc10.i386 policycoreutils-2.0.57-4.fc10.i386 libselinux-python-2.0.73-1.fc10.i386 libselinux-2.0.73-1.fc10.i386 libselinux-utils-2.0.73-1.fc10.i386 selinux-policy-targeted-3.5.13-4.fc10.noarch selinux-policy-3.5.13-4.fc10.noarch How reproducible: Always. Steps to Reproduce: 1. See attached. Actual results: # service netfs restart Mounting NFS filesystems: mount.nfs: access denied by server while mounting localhost:/export/web mount.nfs: access denied by server while mounting localhost:/export/database Denials logged to /var/log/messages: setroubleshoot: SELinux is preventing mount.nfs (mount_t) "relabelfrom" httpd_sys_content_t. For complete SELinux messages. run sealert -l 178f3a75-e83c-4ead-b57d-38efe1f49db5 setroubleshoot: SELinux is preventing mount.nfs (mount_t) "relabelfrom" mysqld_db_t. For complete SELinux messages. run sealert -l 667d2aec-83ad-4af5-b858-4d46ecc96e8a Expected results: No errors and file systems mount. Additional info: Works as expected on: Red Hat Enterprise Linux Client release 5.2 (Tikanga) initscripts-8.45.19.1.EL-1 portmap-4.0-65.2.2.1 nfs-utils-lib-1.0.8-7.2.z2 nfs-utils-1.0.9-35z.el5_2 policycoreutils-1.33.12-14.el5 libselinux-devel-1.33.4-5.el5 libselinux-python-1.33.4-5.el5 libselinux-1.33.4-5.el5 selinux-policy-targeted-2.4.6-137.1.el5_2 selinux-policy-2.4.6-137.1.el5_2 audit2allow suggested: module testpolicy 1.0; require { type mysqld_db_t; type httpd_sys_content_t; type mount_t; class filesystem relabelfrom; } #============= mount_t ============== allow mount_t httpd_sys_content_t:filesystem relabelfrom; allow mount_t mysqld_db_t:filesystem relabelfrom;
Fixed in selinux-policy-3.5.13-7.fc10